Menu

How to report a spam email / breach / security bug

25 August 2017

Work in progress - will be presenting in full at September Dallas Hackers Meetup

Receive UCE (spam) at [email protected]
Only ever used on FindMeSpot.com of course, satellite tracking company
Email from 1-800-PetMeds.com petmeds@yepml.com
Google yepml.com - no results?
Visit yepml.com - oh, it's some kind of email marketing service...
Usually the from domain is going to be a legit domain, so the above steps means that you have a reasonable certainty of visiting links in the email
Run it in a VM over Tor and 8 proxies if you're paranoid
View headers for email
Look for abuse header

Ah fuck
Try to decipher the stupid link and get http://track.yepml.com/Cpl?7nRrfnNgcHnWUsU+xsVqVdg9GY3MPzA4Q+e3Vlz7iX+RU9uw4M63P7
Cool, it's a broken form
Maybe it's broken if the ID is bad, check http://track.yepml.com/Cpl?7nRrfnNgcHnWUsU+xsVqVdg9GY3MPzA4Q+e3Vlz7iX+RU9uw4M63P7asdasd
Yeah, still broken, but I decoded the URL properly (and tried a few variations)
Try and find abuse contact on mailer site http://yepml.com/anti-spam-policy.php
Says to email [email protected] - do that and explain
Next visit the site that lost your email - findmespot.com
Look through contact us list for email address
[Begin your collection of email addresses here]
Nothing - there are some phone numbers though, remember that for later
Google site:findmespot.com security - no good hits
Try different combinations, with or without site: tag, search for "abuse" "info sec" etc
Find [email protected] referenced on a website, cool, add to email list
Okay, time for Whois https://whois.net/
Whois Server: whois.101domain.com
Go there - HTTP ERROR 504, sigh
Go to 101domain.com, ctrl+f whois - https://www.101domain.com/whois_search.htm
Hey it works
Registrant Organization: Globalstar - okay, that's the parent company, that's useful
Registrant Email: [email protected] - add this to your email list
Duplicate for any other emails
Tech Name: Matthew Young - hmm, let's look him up
LinkedIn search "matthew young globalstar" - he left the company in 2012, wonderful. Add him to the people list anyways with notation
LinkedIn search "security" and filter current company to GlobalStar - find a few network security people, but no one stands out
Manager of technology, except he's private
Use names later as a backup, if you can contact a netsec guy they can probably point you to the right team
Look up globalstar, find globalstar.com
Whois search globalstar.com, same information
Check globalstar.com contact page - no emails, contact form and phone number
Same deal, Google site:globalstar.com security
Hmm, blog posts about security of service by a Joseph Crowley in 2012 - probably not useful https://productsupport.globalstar.com/category/globalstar-services/encryption-security/
LinkedIn search Joseph Crowley, hey he still works there! But he looks like a regulatory manager, probably not the guy we want but add him to your people list
Go to findmespot.com and find privacy policy in footer
Ctrl+F "@", find [email protected] - I've actually had good success with privacy emails, usually it's a privacy officer who does kind of care about it
Into the email list it goes
Click around on website, find media contacts page https://www.findmespot.com/en/spotnews/media_contacts.php
Find two PR people and investor relations, add them to the list too (low priority, PR people will just be confused but can get you in the right direction)
Now we have the email format! [email protected]
Now to globalstar.com
Find privacy policy, find email [email protected], add to email list
Find media contacts, one of the PR people from before
If they're an internet or big enough company, check if they have an ASN https://www.ultratools.com/tools/asnInfo
Okay, they own AS19458 - Google AS19458 and get a lot of good info https://www.tcpiputils.com/browse/as/19458 - Gives you domains hosted in IP range (great for extra OSINT) as well as technical contact from ARIN WHOIS
Matthew Young is here again, but we've got another person:
Timothy Calamari, phone number, plus email - add him to the person list
Also email [email protected] - add to email list
Check AS on PeeringDB https://www.peeringdb.com
No results, sometimes you can find the direct NOC phone + email here
Okay, we've got enough to go on, probably
Send a test email to try and get bounces for common addresses we don't already know [email protected] (except we know that one already so don't) [email protected][email protected][email protected]

Avoid [email protected][email protected][email protected] unless you have absolutely nothing else to go off of
Wait 30 mins - if you get no bounce, they probably didn't return an error or didn't send a bounce back. If they are valid, you'll probably get someone reaching out anyway. If you get a bounce for only some, the others are valid.
Got a bounce for all - great work guys
Order your list of emails and your list of people separately based on who can likely help you, here's what I had

Subject: Possible data breach of customer emails
Hi,
I used the following email address to sign up for services from SPOT: [email protected]
This email was created specifically for the SPOT website and was entered only on this website. It has never been used anywhere else.
On 8/16/2017 I received an unsolicited commercial email to the [email protected] email. Below were the details:
From: 1-800-PetMeds.com [mailto:[email protected]]
Sent: Wednesday, August 16, 2017 10:44 AM
To: [email protected]
Subject: Pet Supply – 15% Off
As you can probably guess, I did not sign up for spam email from 1-800-PetMeds.com on the SPOT-specific email. It seems likely that there may have been a data breach with your company or one of your partners.
Could you please get me in touch with your information security team or the appropriate resource so I can report this?
Please use my personal email [email protected] for correspondence regarding this issue.
Thank you,

Start with the top, try to limit contacts to one or two at a time that are related
First email to [email protected] and [email protected]
Second to just [email protected]
Third to [email protected] and [email protected]
Earlier in the process I sent this over the website contact form, but usually that's my least favorite way to do this
Wait for a response back and think about how much of your time you wasted reporting a breach for a company that obviously does not care about security cares about security but is scared to show it
Remember - if you report it at 11 p.m. on a Friday, don't expect a response until Monday or Tuesday at best
Great, the [email protected] and [email protected] emails bounced, good to know they take those seriously
Go ahead and report to ARIN that their WHOIS is wrong because fuck 'em accurate WHOIS info is important for the internet's anti-abuse mechanisms to work: https://www.arin.net/public/whoisinaccuracy/index.xhtml
Get an email that ARIN are going to ask for new information, won't do anything if they don't though
Further action plan:
- Email people in your list and try to get in touch
Example for Tim Calamari:

Hi Tim,
I am a customer of SPOT and I believe there may have been a data breach with your company or one of your partners.
Could you please get me in touch with your information security team or the appropriate resource so I can report this?
If you could provide their email address or give them mine, [email protected], I would appreciate it.
Thank you,

Only email one person at a time individually, and wait in between
- Harvest those LinkedIn contacts from earlier
- Call the customer care numbers, but expect frustration, just ask who to contact, don't try to explain the issue
- Is it a big company? Maybe consider sending a tip to Krebs: [email protected]
- Start cold calling those phone numbers of employees